August 20, 2009

Antivirus experts have found an odd virus that attacks Delphi (versions 5 to 7) by changing a library unit to get compiled into your own programs.

Antivirus experts have found an odd virus that attacks Delphi library units to get compiled into your programs. The W32/Induc-A virus doesn't affect executable files, but looks for a Delphi installation (apparently versions 5, 6 and 7), modifies SysConst.pas (backing up the original) and gets compiled by Delphi into your own programs, to keep spreading.

In the CodeGear newsgroups there are already several developers who have been infected over the last 3 or 4 weeks, simply by testing utilities written in Delphi and downloaded from the web. Given the popularity of Delphi as a development tool for utilities, this is probably a fairly common scenario.

So if you are still developing with an old version of Delphi, beside recommending that you upgrade your development tool, I suggest you run a good antivirus program, or some of the users of your programs might get virus warning, which are not false positives, as happens from time to time with Delphi applications, but real virus alert even if lightweight ones, as the virus seems to spread but not cause any other damage.

Another way to check you system, according to reports, it to look at the timestamp of SysConst.dcu, under the lib folder, or check if there is a sysconst.bak file in the same folder.

I'm not sure if this is something to be happy about in this scenario, but given the huge number of Delphi free and shareware programs available, there is a good chance this virus spreads. So, please, let all your fellow Delphi developers know about this (even if mild) threath. And suggest they upgrade ;-)

Virus W32/Induc-A Attacks Delphi SysConst.pas

FYI: Virus W32/Induc-A Attacks Delphi SysConst.pas

Indeed, virus was detected 8 days ago in russian
delphi-community:
http://www.delphikingdom.ru/asp/answer.asp?IDAnswer=70912
The fact of virus was discovered by the same guy, that
writes for EurekaLog blog.
According to poll results in russian-delphi
blogosphere, 40% of developers were infected (from
over 100 that voted).
So, keep an eye on your Delphi\Lib folder. Imho, the
best way to protect it is to include Delphi Lib and
Bin folders under control of any Version Control System.

Virus W32/Induc-A Attacks Delphi SysConst.pas

Install Comodo Internet Scurity and use the "My
Protected Files" functionality in Defence+.

Comment by Frode on August 20, 14:55

Virus W32/Induc-A Attacks Delphi SysConst.pas

Simply don't use the PC with admin rights and
"magically" <program files> files are read-only....

Comment by Luigi D. Sandon on August 20, 19:46

Virus W32/Induc-A Attacks Delphi SysConst.pas

The sysconst.dcu does not get it's modified date/time
altered. It will still display whatever it was when
you installed delphi.
I ended up getting infected from downloading
TBASSPlayer components from Torry's Delphi Pages. I
sent the author and the owner of the site an email
about it. It seems the BassPlayer library
MBDrawer.dll in the component distribution zip file
is infected with the virus.

Virus W32/Induc-A Attacks Delphi SysConst.pas

Virus W32/Induc-A Attacks Delphi SysConst.pas

Hi Marco,
See here too:
http://www.dslreports.com/forum/r22902624-Compiler-Virus-Infects-Thousands-of-Programs?r=302
A majority of people infected need to deploy better
hex. Simple as that.
Can anyone tell if the dev machines were used to
browse? Hence I use VMs backed up to known states and
I gain portability, easy backups, no dependence on
physical hardware, simple to "rollback" etc...
The so called "Delphi Virus" hyped in the press is a
POC and no more. There is no "PAYLOAD". This lesson
does apply to ALL dev tools however.
Regards,
m0d